CVE-2020-26935
📋 TL;DR
This SQL injection vulnerability in phpMyAdmin's search feature allows attackers to inject malicious SQL queries. It affects all phpMyAdmin installations before version 4.9.6 and 5.x before 5.0.3. Attackers could potentially read, modify, or delete database contents.
💻 Affected Systems
- phpMyAdmin
📦 What is this software?
Backports Sle by Opensuse
Backports Sle by Opensuse
Backports Sle by Opensuse
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Phpmyadmin by Phpmyadmin
Phpmyadmin by Phpmyadmin
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, privilege escalation to database administrator, and potential server takeover via SQL injection to RCE chain.
Likely Case
Unauthorized data access, data manipulation, privilege escalation within the database, and potential exposure of sensitive information.
If Mitigated
Limited impact with proper input validation, parameterized queries, and least privilege database accounts.
🎯 Exploit Status
Exploitation requires authentication to phpMyAdmin but not necessarily database admin privileges. SQL injection is well-understood and weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.6 or 5.0.3
Vendor Advisory: https://www.phpmyadmin.net/security/PMASA-2020-5/
Restart Required: No
Instructions:
1. Backup your phpMyAdmin configuration and databases. 2. Download phpMyAdmin 4.9.6 or 5.0.3 from official sources. 3. Replace existing phpMyAdmin installation with patched version. 4. Verify functionality.
🔧 Temporary Workarounds
Disable Search Feature
allTemporarily disable the search functionality in phpMyAdmin to prevent exploitation.
Edit config.inc.php and add: $cfg['Servers'][$i]['AllowSearch'] = false;
Restrict Access
allLimit phpMyAdmin access to trusted IP addresses only.
Add to .htaccess: Require ip 192.168.1.0/24
Or configure web server ACLs
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns
- Restrict database user permissions to minimum required (SELECT only if possible)
🔍 How to Verify
Check if Vulnerable:
Check phpMyAdmin version in the interface footer or via version.php file.Check Version:
grep -i 'version' /path/to/phpmyadmin/libraries/classes/Version.php | head -1Verify Fix Applied:
Verify version is 4.9.6 or higher for 4.x series, or 5.0.3 or higher for 5.x series.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in phpMyAdmin logs
- Multiple failed search attempts
- SQL syntax errors in web server logs
Network Indicators:
- POST requests to search.php with SQL keywords
- Unusual database query patterns from web server
SIEM Query:
source="*phpmyadmin*" AND ("UNION" OR "SELECT *" OR "information_schema" OR "--" OR "/*")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html
- https://advisory.checkmarx.net/advisory/CX-2020-4281
- https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/
- https://security.gentoo.org/glsa/202101-35
- https://www.phpmyadmin.net/security/PMASA-2020-6/
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html
- https://advisory.checkmarx.net/advisory/CX-2020-4281
- https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/
- https://security.gentoo.org/glsa/202101-35
- https://www.phpmyadmin.net/security/PMASA-2020-6/
